TokBox’s OpenTok 2.0 platform implements security at multiple levels. OpenTok’s security measures include restricting endpoint access to OpenTok sessions, providing a role-based security model, and securing the basic voice and video traffic that moves through the OpenTok cloud and between endpoints.
OpenTok is fully based on proven, open standards, written by industry experts, and used for years in commercial products. The core protocols providing WebRTC OpenTok security are SRTP for media traffic encryption, and DTLS-SRTP for key negotiation, which are defined by the IETF.
OpenTok WebRTC-compatible endpoints use the AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity.
During peer-to-peer connections (including connections relayed through cloud-based TURN servers), the OpenTok 2.0 endpoints generate random keys at the beginning of the session and in addition they change periodically during the conversation to make it even safer. For connections leveraging OpenTok’s cloud-based scaling capabilities, the OpenTok cloud acts as an endpoint and participates in the key generation activity. In both cases, in order to increase security, keys are ephemeral, with their validity lasting only for a short period of time. They are neither stored nor persisted anywhere.